[ovs-dev] [PATCH ovn] Skip IPv6 NS packets in router egress SNAT pipeline

Tue, 19 Nov 2019 04:23:08 -0800 

From: Numan Siddique <num...@ovn.org>

When ovn-controller injects IPv6 NS packet to learn the mac, in some
setups it is observed that the packet is dropped by ovs-vswitchd. We see
below logs

2019-11-18T10:42:17.973Z|00001|ofproto_dpif_upcall(handler6)|INFO|received 
packet on unassociated datapath port 4294967295
2019-11-18T10:42:18.221Z|00001|ofproto_dpif_upcall(revalidator8)|WARN|Failed to 
acquire udpif_key corresponding to unexpected flow (Invalid argument): 
ufid:9ba1081f-a692-4c1c-a79b-d1cf04175f7d

Upon further debugging I noticed that, xlate_lookup() fails when there is upcall
from kernel datapath because of ct related actions. When ovn-controller injects
the packet it sets inport=CONTROLLER.

This patch addresses this issue by avoiding the IPv6 NS packets to be
sent to conntrack in the router egress pipeline.

This should be ideally fixed in ovs-vswitchd.

Reported-by: Russell Bryant <russ...@ovn.org>
Signed-off-by: Numan Siddique <num...@ovn.org>
---
 northd/ovn-northd.8.xml | 9 +++++++++
 northd/ovn-northd.c     | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 78b1e84ad..956a10362 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -2826,6 +2826,15 @@ nd_ns {
       changed based on the configuration in the OVN Northbound database.
     </p>
 
+    <ul>
+      <li>
+        A priority-120 flow to advance the IPv6 Neighbor solicitation packet
+        to next table to skip SNAT. In the case where ovn-controller injects
+        an IPv6 Neighbor Solicitation packet (for <code>nd_ns</code> action)
+        we don't want the packet to go throught conntrack.
+      </li>
+    </ul>
+
     <p>Egress Table 1: SNAT on Gateway Routers</p>
 
     <ul>
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 41e97f841..ccccd9651 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -7976,6 +7976,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap 
*ports,
         ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
         ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
 
+        /* Send the IPv6 NS packets to next table. When ovn-controller
+         * generates IPv6 NS (for the action - nd_ns{}), the injected
+         * packet would go through conntrack - which is not required. */
+        ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;");
+
         /* NAT rules are only valid on Gateway routers and routers with
          * l3dgw_port (router has a port with "redirect-chassis"
          * specified). */
-- 
2.23.0

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to